Skype finally gets End to End Encryption (sort of)

[AlTech]

Skype has finally added End to End Encryption, well sort of.

 

It uses the same Signal protocol used in WhastApp, Facebook Messenger and others.

 

However there are huge caveats. This does not apply at all to Video calls at least for now. And, "Private Conversations" as it is being called, it's not enabled by default. It requires the user to set it up and invite a user to join. 

 

The End to End Conversation only appears on the device the user starts a private conversation with. So no texting someone with it on your Phone and then switching to PC or something like that.

 

It should be noted that this is coming to the Official Release version of Skype soon. The lack of End to End Encrypted video calls is disappointing considering that the Signal Protocol does support it.

 

 

Quote

Since its inception, Skype has been notable for its secretive, proprietary algorithm. It's also long had a complicated relationship with encryption: encryption is used by the Skype protocol, but the service has never been clear exactly how that encryption was implemented or exactly which privacy and security features it offers.

That changes today in a big way. The newest Skype preview now supports the Signal protocol: the end-to-end encrypted protocol already used by WhatsApp, Facebook Messenger, Google Allo, and, of course, Signal. Skype Private Conversations will support text, audio calls, and file transfers, with end-to-end encryption that Microsoft, Signal, and, it's believed, law enforcement agencies cannot eavesdrop on.

Presently, Private Conversations are only available in the Insider builds of Skype. Naturally, the Universal Windows Platform version of the app—the preferred version on Windows 10—isn't yet supported. In contrast, the desktop version of the app, along with the iOS, Android, Linux, and macOS clients, all have compatible Insider builds. Private Conversations aren't the default and don't appear to yet support video calling. The latter limitation shouldn't be insurmountable (Signal's own app offers secure video calling). We hope to see the former change once updated clients are stable and widely deployed.

 

Personally, I don't use Skype much these days anymore. WhatsApp is more my thing but admittedly WhatsApp is still far from perfect with all the meta data that it collects.

 

Hopefully Skype doesn't collect the same amount of Meta Data that WhatsApp does with this private conversations feature.

 

Source:

https://arstechnica.com/gadgets/2018/01/skype-finally-getting-end-to-end-encryption/

[Sir Asvald]

What?! I thought it was already encrypted.. that's a fail. 

 

[AlTech]

1 minute ago, Abdul201588 said:

What?! I thought it was already encrypted.. that's a fail. 

 

Nope. Everything since the beginning has been 100% readable and viewable on their end.

[AlTech]

1 minute ago, Pangea2017 said:

Encryption done by a US company in a closed source programm ...

better then nothing, i guess

WhatsApp and Facebook do the same and nobody gives them flak.

1 minute ago, Pangea2017 said:

long time ago Skype were pear to pear

Really? I thought it was Apples to Apples! But then there'd be no compatibility with Microsoft then .

 

/Joke.

 

But anyhow, yeah it used to be P2P until like 2013 I think.

[LAwLz]

Still not going to trust Skype. The signal protocol is in and of itself great, it truly is, but Microsoft have lots of ways they can implement it poorly. For example if they don't implement a proper fingerprint validation technique they could very easily hijack the conversation without the users ever known.

 

 

8 minutes ago, Abdul201588 said:

What?! I thought it was already encrypted.. that's a fail.

It is encrypted. The difference is that it now supports end-to-end encryption.

That means the encryption is not broken between the sender and the receiver.

 

Skype, as it works today, only encrypts the traffic to and from Microsoft's own servers.

That means that your Skype client encrypts a message with a key Microsoft knows. Your message then gets sent to Microsoft's servers where it gets decrypted and saved. Then Microsoft encrypts the message again and sends it to the person you are chatting with.

 

With end-to-end encryption, Microsoft never knows the decryption keys. What it means is that Microsoft can not read the messages which use end-to-end encryption. In theory at least.

As long as Skype is closed source they can always design around it. Hell, they could even use Windows built in data harvesting services to read your Skye conversations even if they implement proper E2EE.

[captain_to_fire]

I didn't know that Skype wasn't encrypted until now. That's disappointing.

 

Meanwhile in Hangouts since 2016...

Spoiler

Hangouts message are encrypted. All signals, like messages, are encrypted over an HTTPS connection with 128-bit encryption, using TLS 1.2. The connection is encrypted and authenticated using AES_128_GCM. The key exchange mechanism is ECDHE_ECDSA.

Read more here: https://support.google.com/hangouts/answer/6046115?hl=en

...and FaceTime and iMessage...

Spoiler

When a user turns on iMessage on a device, the device generates two pairs of keys for use with the service: an RSA 1280-bit key for encryption and an ECDSA 256-bit key on the NIST P-256 curve for signing. The private keys for both key pairs are saved in the device’s Keychain and the public keys are sent to Apple’s directory service (IDS), where they are associated with the user’s phone number or email address, along with the device’s APNs address. As users enable additional devices for use with iMessage, their encryption and signing public keys, APNs addresses, and associated phone numbers are added to the directory service... The user’s outgoing message is individually encrypted for each of the receiver’s devices.

 

The initial FaceTime connection is made through Apple server infrastructure that relays data packets between the users’ registered devices. Using APNs notifications and Session Traversal Utilities for NAT (STUN) messages over the relayed connection, the devices verify their identity certificates and establish a shared secret for each session. The shared secret is used to derive session keys for media channels streamed via the Secure Real-time Transport Protocol (SRTP). SRTP packets are encrypted using AES-256 in Counter Mode and HMAC-SHA1. Subsequent to the initial connection and security setup, FaceTime uses STUN and Internet Connectivity Establishment (ICE) to establish a peer to-peer connection between devices, if possible.

Which makes me wonder when will Telegram add secured video calling?

[LAwLz]

5 minutes ago, hey_yo_ said:

I didn't know that Skype wasn't encrypted until now. That's disappointing.

It was. It just wasn't end-to-end. Neither is Hangouts.

iMessage and FaceTime are though.

[vanished]

21 minutes ago, Pangea2017 said:

Encryption done by a US company in a closed source programm ...

better then nothing, i guess

are you sure?

[samcool55]

3 hours ago, Ryan_Vickers said:

are you sure?

Well yeah at least the chinese can't read them.
Or the russians! Just imagine that the russians could read our messages.

[Guest]

Skype is just not necessary anymore. Just use FaceBook or FaceTime.

[yian88]

Skype and Microsoft oferring encryption? :)))))))))))))))))))))) 

Encryption in the full sense of the word as in neither 3rd party or Microsoft has access to skype keys/logs and they can see what you typed?

If you actually believe that, oh boi 

[AlTech]

Just now, yian88 said:

Skype and Microsoft oferring encryption? :)))))))))))))))))))))) 

Encryption in the full sense of the word as in neither 3rd party or Microsoft has access to skype keys/logs and they can see what you typed?

If you actually believe that, oh boi 

Oh I believe them. I do believe they'll offer Encryption and then collect nasty Meta Data just like WhatsApp does.

[yian88]

Just now, AluminiumTech said:

Oh I believe them. I do believe they'll offer Encryption and then collect nasty Meta Data just like WhatsApp does.

I never defended whats app i dont trust anything MS/Google/Apple or anything US/Russian/Chiness/ EU based. I only have a little trust in open source, encrypted Switzerland based services because of their laws but even that is questionable since i cant prove to myself those services dont hold my private keys/data and sell or inspect/profile it.

Meta Data you say? Skype/Fb etc they collect everything and make a heavily detailed profile of you worse than recent twitter leaks, with or without encryption.

 

Encryption used in most services is a fad because there are specific steps and types of encryption models that have to be used to ensure privacy which we cant know if they are used properly. They could probably encrypt nothing and call it encrypted services it has no value to me.

 

Ive switched emails to tutanota and next trying to find a way to switch to Wire for chat app the problem is other people dont use these services, they use the popular ones.

 

[AlTech]

2 minutes ago, yian88 said:

I never defended whats app i dont trust anything MS/Google/Apple or anything US/Russian/Chiness/ EU based. I only have a little trust in open source, encrypted Switzerland based services because of their laws but even that is questionable since i cant prove to myself those services dont hold my private keys/data and sell or inspect/profile it.

Meta Data you say? Skype/Fb etc they collect everything and make a heavily detailed profile of you worse than recent twitter leaks, with or without encryption.

 

Encryption used in most services is a fad because there are specific steps and types of encryption models that have to be used to ensure privacy which we cant know if they are used properly. They could probably encrypt nothing and call it encrypted services it has no value to me.

 

Ive switched emails to tutanota and next trying to find a way to switch to Wire for chat app the problem is other people dont use these services, they use the popular ones.

 

WhatsApp's meta data consists of who you communicate with and at what time. Not the contents of the messages themselves.

 

Apparently that is enough to make money from WhatsApp so idek anymore.

[Doobeedoo]

Don't really use Skype these days but really they could've made this more properly from the get go. Not half baked. 

[colonel_mortis]

Facebook messenger only end-to-end encrypts messages on explicitly created secret conversations. All the others are readable (and I believe read, parsed and learned from) by Facebook. The problem is partly that there are usability tradeoffs when using end-to-end encryption, because for it to be useful the keys have to be managed by you and not by the service. That's why FB messenger secret conversations are only available on the device you sent them from (not from the web version), and WhatsApp and Signal's desktop/web applications require you to scan a QR code on your phone to set them up.

 

Hangouts is encrypted to the same degree as Skype already was - HTTPS (between client and server) but not end-to-end.

[vanished]

8 hours ago, samcool55 said:

Well yeah at least the chinese can't read them.
Or the russians! Just imagine that the russians could read our messages.

If the US can read it, which is what was implied and imo is likely, then it's safe to assume others can too or will be able to soon.

[LAwLz]

On 1/16/2018 at 3:52 PM, yian88 said:

Ive switched emails to tutanota and next trying to find a way to switch to Wire for chat app the problem is other people dont use these services, they use the popular ones.

Me and some friends use Wire.

I like the idea and it works pretty well, but it really struggles with:

1) Large conversation threads. It becomes really slow from time to time, especially when you send and receive lots of embedded media files.

2) If you keep one device offline for a long time, syncing will be incredibly slow. I've had it take over an hour to start the program on my laptop after having it not connected for a month or so. It doesn't start and then you can see the message log fill up either. It has to sync everything before the program really starts and you can send/receive/read messages.

 

Really well thought out program from a security perspective, but their implementation seems to not scale that well with lots of devices and messages.

[Taf the Ghost]

Skype is one of the more interesting examples of constantly getting worse with time.

 

As for the encryption, that assumes the Skype Client itself is secure. Do you really want to go that far? 

 

The benefit of End-to-End is, mostly, that only your metadata can normally get caught up in mass-scale collections or any over-air channels. (This is more important for Mobile, for obvious reasons.) It does nothing if any service Intelligence Service wants to prying through your life. That is doable, but it's expensive and really un-user friendly.

[LAwLz]

11 hours ago, Taf the Ghost said:

It does nothing if any service Intelligence Service wants to prying through your life. That is doable, but it's expensive and really un-user friendly.

We do not know that. In fact, evidence points towards it not being true.

If you use a proper chat client, you can be fairly certain that your messages are safe and the content kept away from prying eyes.

 

I don't think Skype is a proper chat client though.

[Taf the Ghost]

4 hours ago, LAwLz said:

We do not know that. In fact, evidence points towards it not being true.

If you use a proper chat client, you can be fairly certain that your messages are safe and the content kept away from prying eyes.

 

I don't think Skype is a proper chat client though.

It depends on how many resources they want to put in to getting through. In the case of consumer communication products, the easier approach is to simply attack one end-point's OS and gain access to the client directly.

 

The questions with encryption is always: Who did you piss off? How interested are they in getting in?   End-to-end Consumer-grade encryption will keep the any locals or MITM type attacks at bay. Anything from a Federal Police level or up will have access to attack the devices, so the information is protected in Real-time but not Future-Time. So, it's good to have, just in general, as it does make communications more secure. Does that mean Skype is secure? I don't think so, haha.